quasar | ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b664d1737e4b08517167fff2d19bade.exe
Size

535KB
MD5

9b664d1737e4b08517167fff2d19bade
SHA1

dbbc1588618273813ca9f3de2708f4f4b7934029
SHA256

ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
SHA512

955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
SSDEEP

12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc

Score

10^/10

quasar venomrat hacked evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Hacked

Cheaper-60753.portmap.host:62240

Mutex

VNM_MUTEX_7KSPEPYRO6LRW25BBT

Attributes

encryption_key
SPWhfeGvCah4GWzpm6Am
install_name
Host Process for Windows Tasks.exe
log_directory
Microsoft
reconnect_delay
1000
startup_key
Host Process for Windows Services
subdirectory
MIcrosoft

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000F30000-0x0000000000FBC000-memory.dmp	disable_win_def
behavioral1/files/0x000b000000015c1b-5.dat	disable_win_def
behavioral1/memory/2140-10-0x00000000008A0000-0x000000000092C000-memory.dmp	disable_win_def
behavioral1/memory/620-102-0x0000000001230000-0x00000000012BC000-memory.dmp	disable_win_def
behavioral1/memory/620-106-0x0000000000600000-0x0000000000640000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

9b664d1737e4b08517167fff2d19bade.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	9b664d1737e4b08517167fff2d19bade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	9b664d1737e4b08517167fff2d19bade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	9b664d1737e4b08517167fff2d19bade.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	9b664d1737e4b08517167fff2d19bade.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000F30000-0x0000000000FBC000-memory.dmp	family_quasar
behavioral1/files/0x000b000000015c1b-5.dat	family_quasar
behavioral1/memory/2140-10-0x00000000008A0000-0x000000000092C000-memory.dmp	family_quasar
behavioral1/memory/620-102-0x0000000001230000-0x00000000012BC000-memory.dmp	family_quasar
behavioral1/memory/620-106-0x0000000000600000-0x0000000000640000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Host Process for Windows Tasks.exe

pid	Process
2140	Host Process for Windows Tasks.exe

Loads dropped DLL 6 IoCs

Processes:

9b664d1737e4b08517167fff2d19bade.exeWerFault.exe

pid	Process
2660	9b664d1737e4b08517167fff2d19bade.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

9b664d1737e4b08517167fff2d19bade.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	9b664d1737e4b08517167fff2d19bade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	9b664d1737e4b08517167fff2d19bade.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

9b664d1737e4b08517167fff2d19bade.exeHost Process for Windows Tasks.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe	9b664d1737e4b08517167fff2d19bade.exe
File opened for modification	C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe	9b664d1737e4b08517167fff2d19bade.exe
File created	C:\Windows\SysWOW64\MIcrosoft\r77-x64.dll	9b664d1737e4b08517167fff2d19bade.exe
File opened for modification	C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe	Host Process for Windows Tasks.exe
File opened for modification	C:\Windows\SysWOW64\MIcrosoft	Host Process for Windows Tasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1628	2140	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2808	schtasks.exe
1384	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
2876	PING.EXE
336	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe9b664d1737e4b08517167fff2d19bade.exe9b664d1737e4b08517167fff2d19bade.exe

pid	Process
2708	powershell.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
2660	9b664d1737e4b08517167fff2d19bade.exe
620	9b664d1737e4b08517167fff2d19bade.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

9b664d1737e4b08517167fff2d19bade.exepowershell.exeHost Process for Windows Tasks.exe9b664d1737e4b08517167fff2d19bade.exe

description	pid	Process
Token: SeDebugPrivilege	2660	9b664d1737e4b08517167fff2d19bade.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2140	Host Process for Windows Tasks.exe
Token: SeDebugPrivilege	2140	Host Process for Windows Tasks.exe
Token: SeDebugPrivilege	620	9b664d1737e4b08517167fff2d19bade.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Host Process for Windows Tasks.exe

pid	Process
2140	Host Process for Windows Tasks.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

9b664d1737e4b08517167fff2d19bade.exeHost Process for Windows Tasks.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2660 wrote to memory of 2808	2660	9b664d1737e4b08517167fff2d19bade.exe	29
PID 2660 wrote to memory of 2808	2660	9b664d1737e4b08517167fff2d19bade.exe	29
PID 2660 wrote to memory of 2808	2660	9b664d1737e4b08517167fff2d19bade.exe	29
PID 2660 wrote to memory of 2808	2660	9b664d1737e4b08517167fff2d19bade.exe	29
PID 2660 wrote to memory of 2140	2660	9b664d1737e4b08517167fff2d19bade.exe	31
PID 2660 wrote to memory of 2140	2660	9b664d1737e4b08517167fff2d19bade.exe	31
PID 2660 wrote to memory of 2140	2660	9b664d1737e4b08517167fff2d19bade.exe	31
PID 2660 wrote to memory of 2140	2660	9b664d1737e4b08517167fff2d19bade.exe	31
PID 2660 wrote to memory of 2708	2660	9b664d1737e4b08517167fff2d19bade.exe	32
PID 2660 wrote to memory of 2708	2660	9b664d1737e4b08517167fff2d19bade.exe	32
PID 2660 wrote to memory of 2708	2660	9b664d1737e4b08517167fff2d19bade.exe	32
PID 2660 wrote to memory of 2708	2660	9b664d1737e4b08517167fff2d19bade.exe	32
PID 2140 wrote to memory of 1384	2140	Host Process for Windows Tasks.exe	34
PID 2140 wrote to memory of 1384	2140	Host Process for Windows Tasks.exe	34
PID 2140 wrote to memory of 1384	2140	Host Process for Windows Tasks.exe	34
PID 2140 wrote to memory of 1384	2140	Host Process for Windows Tasks.exe	34
PID 2140 wrote to memory of 1720	2140	Host Process for Windows Tasks.exe	36
PID 2140 wrote to memory of 1720	2140	Host Process for Windows Tasks.exe	36
PID 2140 wrote to memory of 1720	2140	Host Process for Windows Tasks.exe	36
PID 2140 wrote to memory of 1720	2140	Host Process for Windows Tasks.exe	36
PID 2660 wrote to memory of 1760	2660	9b664d1737e4b08517167fff2d19bade.exe	38
PID 2660 wrote to memory of 1760	2660	9b664d1737e4b08517167fff2d19bade.exe	38
PID 2660 wrote to memory of 1760	2660	9b664d1737e4b08517167fff2d19bade.exe	38
PID 2660 wrote to memory of 1760	2660	9b664d1737e4b08517167fff2d19bade.exe	38
PID 2140 wrote to memory of 1628	2140	Host Process for Windows Tasks.exe	40
PID 2140 wrote to memory of 1628	2140	Host Process for Windows Tasks.exe	40
PID 2140 wrote to memory of 1628	2140	Host Process for Windows Tasks.exe	40
PID 2140 wrote to memory of 1628	2140	Host Process for Windows Tasks.exe	40
PID 1720 wrote to memory of 940	1720	cmd.exe	41
PID 1720 wrote to memory of 940	1720	cmd.exe	41
PID 1720 wrote to memory of 940	1720	cmd.exe	41
PID 1720 wrote to memory of 940	1720	cmd.exe	41
PID 1760 wrote to memory of 2824	1760	cmd.exe	42
PID 1760 wrote to memory of 2824	1760	cmd.exe	42
PID 1760 wrote to memory of 2824	1760	cmd.exe	42
PID 1760 wrote to memory of 2824	1760	cmd.exe	42
PID 1720 wrote to memory of 2876	1720	cmd.exe	43
PID 1720 wrote to memory of 2876	1720	cmd.exe	43
PID 1720 wrote to memory of 2876	1720	cmd.exe	43
PID 1720 wrote to memory of 2876	1720	cmd.exe	43
PID 2660 wrote to memory of 528	2660	9b664d1737e4b08517167fff2d19bade.exe	44
PID 2660 wrote to memory of 528	2660	9b664d1737e4b08517167fff2d19bade.exe	44
PID 2660 wrote to memory of 528	2660	9b664d1737e4b08517167fff2d19bade.exe	44
PID 2660 wrote to memory of 528	2660	9b664d1737e4b08517167fff2d19bade.exe	44
PID 528 wrote to memory of 2116	528	cmd.exe	46
PID 528 wrote to memory of 2116	528	cmd.exe	46
PID 528 wrote to memory of 2116	528	cmd.exe	46
PID 528 wrote to memory of 2116	528	cmd.exe	46
PID 528 wrote to memory of 336	528	cmd.exe	47
PID 528 wrote to memory of 336	528	cmd.exe	47
PID 528 wrote to memory of 336	528	cmd.exe	47
PID 528 wrote to memory of 336	528	cmd.exe	47
PID 528 wrote to memory of 620	528	cmd.exe	50
PID 528 wrote to memory of 620	528	cmd.exe	50
PID 528 wrote to memory of 620	528	cmd.exe	50
PID 528 wrote to memory of 620	528	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe
"C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2808
- C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe
  "C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEJ66K2BrmES.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1488
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8w28LKQxQybz.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe
    "C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8w28LKQxQybz.bat

Filesize
229B

MD5
b39ffb6d1e513db29ca2be541bf09e8c

SHA1
0a8b9e0960a485503fcbe806018e122b4480872a

SHA256
41177462084b49636b3d8dc464b38adf371f44f00204c66ecb129d11ea0e4902

SHA512
ecba884dc975698d166ed3975a73cf4df8a4bdb319461225d719500e264e82f3caf4db204dd5252d98619f90b35853cad9dbffbd1bba4ef24d3ad42d7882e992

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADAF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEJ66K2BrmES.bat

Filesize
223B

MD5
8207194d59cc120869e06f0dafad2236

SHA1
cb87f0950fb49dfd9a94ef77769b9d87b6073b0e

SHA256
5fe23b3a395d6aafb446e971985ff61ce51f70711b217c5d66066db5447b0e90

SHA512
3414d0ecf06b99c9cc0138f4e180eea9db37d71c1b24c1a53bab4576fe95fbc0e0b24a732a6766b5cd125559f478328cef40e1fa4d2441b71289ca78f2b5f7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarADE1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe

Filesize
535KB

MD5
9b664d1737e4b08517167fff2d19bade

SHA1
dbbc1588618273813ca9f3de2708f4f4b7934029

SHA256
ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b

SHA512
955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c

Download Submit
memory/620-106-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/620-105-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/620-104-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/620-103-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/620-102-0x0000000001230000-0x00000000012BC000-memory.dmp

Filesize
560KB

Download
memory/2140-91-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-101-0x00000000007B0000-0x00000000007F0000-memory.dmp

Filesize
256KB

Download
memory/2140-10-0x00000000008A0000-0x000000000092C000-memory.dmp

Filesize
560KB

Download
memory/2140-11-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-12-0x00000000007B0000-0x00000000007F0000-memory.dmp

Filesize
256KB

Download
memory/2660-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2660-87-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-89-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2660-0-0x0000000000F30000-0x0000000000FBC000-memory.dmp

Filesize
560KB

Download
memory/2660-99-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-16-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-15-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-19-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2708-17-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2708-18-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2708-20-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download